Cybersecurity Is a One-for-All Undertaking

Alexandre Dumas might have made the “One for All and All for One” motto famous when he wrote it as the rallying cry in the Three Musketeers, but it’s unlikely he realized the same concept would apply to law enforcement network security 175 years later.¹ Some law enforcement administrators may believe the networks, systems, and data of their agency are safe because the municipal information technology (IT) staff “handles” that. Others believe that their networks are secure because they are isolated from the other municipal networks (to clear this up, “air-gapped” or isolated networks are a myth). In today’s environment, it is as much the responsibility of the agency head to take appropriate steps to protect the network as it is the IT staff’s responsibility. A law enforcement administrator is the final authority in protecting the agency’s networks and safeguarding their data.

Law enforcement networks routinely contain equipment and software developed and maintained by third parties, and by its very nature, law enforcement could not be successful without connections to other government and law enforcement networks and the Internet. Beyond the local network, law enforcement also connects to other law enforcement networks who engage with each other via email, transmitting data back and forth at an incredible rate. In the United States, interconnected systems might include other local and regional agencies, such as neighboring departments and the RISS network, as well as access to federal agencies and databases, such as the Criminal Justice Information Services (CJIS), and private vendors who store body cam data or maintain the agency website.

While this interconnectivity allows for law enforcement to be more collaborative and successful than in any other time in history, it also increases the vulnerabilities to valuable resources. Like a teacher in a classroom full of children with colds, the increased exposure and interactions increase the chances for infection. Cybercriminals and cyber threats have evolved to more efficiently take advantage of law enforcement’s need for connectivity across agencies.

According to a Forbes article, a ransomware infection impacted the city of Atlanta, Georgia, in 2018. That infection spread through 5 of the 13 city departments, including the police department, where the ransomware encrypted records system and several years of dashcam footage. According to Chief Erika Shields, the lost files were not critical as “the dashcam doesn’t make the cases for us.”² While the Atlanta Police Department was not severely impacted, imagine if the virus had not been caught and made it further into the system, crippling operations and communications? What happened if other agencies, trusting communications from Atlanta, had become infected? Current malware strains, like Emotet, take advantage of this type of interconnectivity.

Emotet is an advanced, modular, banking Trojan that rapidly spreads via connected systems and email. With network-wide compromises and remediation costs up to 1 million dollars, an Emotet infection can be extremely damaging for a law enforcement agency.³ Emotet captures credentials stored on a local network and uses those to attempt to spread through networks that share files between them, spreading the infections between each other. Emotet then takes it a step further by spreading via email. Contacts in compromised email accounts are identified and receive an email with an infected attachment that appears to come from another contact. The cyber actors behind Emotet understand that users are more likely to open emails from others they know, resulting in higher cross-department infection rates.

In 2015, in a different type of incident, the notorious hacker Bitcoin Baron targeted a city government with a sustained distributed denial of service (DDOS) attack that shut down silent dispatch and limited the effectiveness of laptops in patrol vehicles. A DDOS attack is the cyber equivalent of ringing a doorbell and running away, thousands to hundreds of thousands of times a minute, overwhelming the network and the city’s Internet connection. This included the public safety network’s Internet access, shutting down silent dispatch and blocking officers from conducting database checks.4 Bitcoin Baron has since been arrested and charged, but does that alone return the faith of a community in its law enforcement agency? Does the arrest of a cybercriminal restore the belief the agency has in the technology that is vital to its daily work?

Thinking that the larger threat can come only from outside can also be an error. In a slightly different issue in Ohio, prisoners, misusing a program that employed them to recycle old computers, were able to build themselves computers, which they hid  in the ceiling of the correctional facility.5 The subsequent investigation revealed that the inmates had used the computers to carry out identity theft schemes, exchange messages, access pornographic material, and conduct research on tax refund fraud and homemade drugs.

Law enforcement administrators must also address risks from hardware and software acquisitions. Often referred to as the “supply chain,” the purchasing of equipment and software should take into account potential vulnerabilities. Not properly vetting equipment and software and adding them to existing, secure networks, can allow criminals access to agency information and technology—the equivalent of leaving the doors of a house unlocked and the window open, and then being surprised when someone steals the owner’s belongings. In November 2018, Bloomberg referenced an annual bipartisan congressional panel report that cited

close supply chain integration between the United States and China, and China’s role as an economic and military competitor to the United States create enormous economic, security, supply chain and data privacy risks for the United States.6

Not only could a foreign power use technology manufactured within their nation’s factories to exploit another country’s technology infrastructure, but the same vulnerability could also potentially be used by other actors to do the same, opening up law enforcement’s most sensitive information to those it is seeking to arrest. For example, in September 2017, the popular information technology (IT) tool CCleaner was compromised in a security incident. Anyone who downloaded the tool to clean potentially unwanted files from their systems, including law enforcement departments, were vulnerable to having the computer’s name, IP address, list of installed software, and other information being transmitted to a server.7 While information such as this is not generally sensitive, due to the unique software in law enforcement agencies, it would identify a system as a law enforcement computer.

Rather than attempting to secure a network by fully isolating it—an almost impossible task—the goal should be to enforce security controls that prevent as much malicious activity as possible. Law enforcement administrators should think about cybersecurity in the same way they secure their police stations. Instead of working to isolate and prevent anyone from entering, security efforts should work to stop untrusted people from entering sensitive areas and provide protections to avoid unnecessary risks. Just as with physical security, agencies should identify the entrance and egress points to their network or software and lock them down with the appropriate security measures. On a network, this means determining what other networks and systems are connected. Are those higher risk connections to the Internet or lower risk connections, such as to another government?

While there is no 100 percent secure solution, law enforcement executives, regardless of the size of their agencies, should review information available in the Resources section of the International Association of Chiefs of Police (IACP) website. The Resources section of the IACP website includes a technology section with a best practices guide titled Best Practices Guide for Acquisition of New Technology.8 Law enforcement executives should utilize the practices outlined in the acquisition guide in conjunction with the universal principles provided in the 2014 IACP Technology Policy Framework9 These principles include specification of use, policies and procedures, privacy and data quality, data minimization and limitation, performance evaluation, transparency and notice, security, data retention, access and use, and auditing and accountability. Further, law enforcement executives should work to become familiar with the standards provided through the U.S. Department of Commerce, National Institute of Standards and Technology (NIST). Although originating in the United States, the NIST standards—or their peers in other countries—apply to departments around the world. To aid law enforcement executives in this process, the IACP created the Cyber Report Card,  which is available, with additional resources, at the IACP Law Enforcement Cyber Center.10 In the end, law enforcement executives and administrators must remember that they cannot address this alone. Now is the time to work closely, not only with the agency or municipal IT staffs, but with other law enforcement leaders and IT staff across multiple connected jurisdictions and with the other agencies within one’s jurisdiction to collaboratively approach these challenges as a team. Only through working together can these challenges be overcome.

D’Artagnan’s question in Dumas’ Three Musketeers succinctly summarizes the needed approach to cybersecurity, “And now gentlemen, all for one, one for all—that is our motto, is it not?” 🛡

Notes:

1 Alexandre Dumas, Three Musketeers (1844).

2 Lee Matthews, “Ransomware That Hit Atlanta’s Computers Destroyed Police Evidence,” Forbes, June 8, 2018.

3MS-ISAC, “MS-ISAC Security Primer—Emotet,”2018.

4U.S. Department of Justice, “Arizona Man Sentenced to Prison for Distributed Denial of Service Attacks Against Emergency Communications System and Other Municipal Websites,”press release, June 19, 2018.

5 Gisela Crespo, “Investigation Found Ohio Inmates Built and Hid Computers in Prison,” CNN, April 12, 2017.

6 Bill Faries, Anthony Capaccio, and Andrew Mayeda, “U.S. Should Be Wary of China’s Supply Chain Threat, Panel Says,” Bloomberg, November 14, 2018.

7CCleaner v5.33 and CCleaner Cloud v1.07 Security Notification,” Piriform, March 5, 2019.

8 Sharon Stolting, Shawn Barrett, and David Kurz, Best Practices Guide: Acquisition of New Technology (Alexandria, VA: IACP, 2018).

9 IACP, IACP Technology Policy Framework (Alexandria, VA: IACP Law Enforcement Policy Center, 2014).

10 IACP, Cyber Report Card (Alexandria, VA: IACP Law Enforcement Policy Center, 2015); IACP, “IACP Law Enforcement Cyber Center.”


Please cite as

Scott A. Vantrease and Stacey A. Wright, “Cybersecurity Is a One-for-All Undertaking,” Police Chief online, June 26, 2019.